Legal Investigation in Social Media: How to Do It; How Not to Do It Benjamin Wright, Attorney SANS Institute: “Law of Data Security & Investigations” This is not legal advice.
Agenda • How to record evidence • Admissibility and authentication of evidence • Risks in collecting evidence • Methods for managing risks • The power of a “preservation letter” • General principles for guiding social media investigations
Examples • Regulatory investigators gather evidence via social media • “Welfare cheat foiled by Facebook” http://bit.ly/JQSMrQ • Based on Facebook videos, Hawaiian Humane Society issues citations; prosecutor to press charges http://bit.ly/IsfgxZ
Many Social Networks • Facebook, Twitter and LinkedIn are just a part of the topic • Many new social networks, like Google Plus, Quora, Instagram, Groupon, Pinterest, Touristlink • Thousands of blogs and special interest forums
Different from Traditional Digital Forensics Investigations • Traditional: investigator has access to hardware that holds data • In web, cloud or social media investigation, investigator typically does not have direct access to hardware on which original data are stored • The data can change from minute to minute • Format of service changes from month to month • Service provider may or may not cooperate
Rely on Witness Testimony • Ultimately, court looks to someone to testify about what happened & how it looked at a point in time • Two witnesses are better than one • Printout – most common form of social media investigative record • But printouts can be awkward and can miss a lot
Screencast • Captures the look, the words, the images, the interactivity and inter-relationships from one page and link to the next • Captures webcam narration by witness – which can be compelling to judge and jury • Free, open-source tool: screencast-o-matic.com • Other products like Camtasia
Many Posts and Demos of Screencast Evidence Capture • http://bit.ly/e825MF - live chat • http://bit.ly/ePV9E0 - web activity • http://bit.ly/w3swEC - online financial trades • http://bit.ly/nsZ6ZG - undercover police in social media • I welcome your comments, questions and criticism!
Screencast Script • Create a unified package of evidence, integrating pages, links and testimony • Investigator – as eyewitness -- recorded by audio or webcam • Script of the investigator: • His identity, purpose & authority • Time and date • His statement of signature, taking responsibility for what he sees
The Power of an Affidavit:Paper, Audio, Video or Other File • “I, Jane Doe, hereby affirm that I collected the following evidence in the way described.” Sign, date, notarize • Prevents Jane Does’ memory from wandering • Jane Doe may not work for, or cooperate with, you two years from now • Webcam signature is pretty convincing http://bit.ly/a0X9kZ
Corroborate Date and Time • State date and time in record/affidavit; then • Send record by enterprise email to multiple people (timestamp), or • Store the record on enterprise sharepoint, which shows audit trail with time, or • Upload record to a third party service like Microsoft skydrive, which records date
Undercover Cops Example • Two witnesses • Record voice but no video • Mercer County prosecutor’s office, New Jersey – gang investigation • http://bit.ly/Ai3nQB
Investigative/Recording Tools • Vere Software • X1 Discovery • Hashbot • Iterasi web archiving service • Others • Each works differently • Regardless, an affidavit from a witness is helpful.
Interpretation • Does this mean no one can, without consent, copy something from Facebook for purposes of an investigation? • I think not. • Making limited copies is generally accepted practice. • But the principle of “proportionality” is relevant.
“Proportionality” • The scale of data collection matters • A broad, general principle from privacy and e-discovery law is that the collecting and management of data should be “proportionate” to the case (considering risks, costs, urgency and so on) • See blog articles http://bit.ly/ga7U7w and http://bit.ly/937Swa
Admission of Evidence • Social media evidence is very commonly admitted into legal proceedings • Varying degrees of formality in proceedings • However, some criminal cases show skeptical courts • Criminal cases have higher standard of proof
Authenticate Myspace • Griffin v. Maryland, No. 74 (Maryland; Apr. 28, 2011) - In murder trial, questions arise why a witness gives conflicting testimony. Prosecution tries to show defendant’s girlfriend threatened witness through Myspace. Court: Myspace evidence insufficiently authenticated. An imposter could have posted the message.
Addressing the Authentication Issue: Law Enforcement Search Warrants • Can collect details from the service provider like IP address, time, application, mobile carrier and more • These details can help with authentication • Zachary Wolff, “Twitter: To log or not to log: Is that the question?” http://blog.logrhythm.com/uncategorized/631/
Alternative Ways to Authenticate Evidence • Interact with the user (if permitted) • Gather corroborating detail about user statements, activities and timeline • Corroborating details can be collected from multiple sources (Facebook, Twitter, special interest forums, games, phone, witnesses and so on)
Risks: Ethical Limitations • New York State Bar Ethics Opinion 843 (9/10/2010); NY City Bar Formal Opinion 2010-2; San Diego County Bar Opinion 2011-2 • Lawyers may view public postings of adversaries • May not friend an adversary represented by a lawyer • May not use deception to friend someone
No Trespassing Sign? • Pietrylo v. Hillstone Restaurant Group • Private Myspace forum: “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” • Management got password; fired employees • Jury: company must pay back wages and punitive damages
Lessons from the Hillstone Case • Exercise restraint and discretion • Watch out for and evaluate claims of privacy • Careful with passwords that don’t belong to you
Managing Risk:Restraint and Proportionality • Canada Privacy Commissioner (PIPEDA Case Summary #2009-019): employer may investigate if employee had violated employment contract • Principle: have a logical, evidence-based justification for getting sensitive information • Predicate evidence justifies getting more evidence, but only what is necessary • This principle is consistent with discovery principles in civil litigation
Managing Risk:Interview the Subject First? • A formal HR interview or deposition puts pressure on subject to tell the truth • Yes, subject could delete data, but • Deletion of data itself is evidence of wrongdoing that could hang the subject • Deleting data is harder than it looks because copies are spread everywhere
Power of a Preservation Letter • Letter puts adversary on notice not to destroy records • Focuses the adversary’s attention electronic evidence and all the steps that might be necessary to preserve • http://bit.ly/A5XrGH
Legal Steps to Access Non-Public Data • Consent of the user • E-discovery demand to user • Informal request to social network • Subpoena to social network • Search warrant for law enforcement • Find the data in an alternative, public location
Informal Request • Very commonly service providers – especially smaller ones – will cooperate with requests from government • Fugitive plays World of Warcraft • Howard County, Indiana, Sheriff sends polite letter to operator of game • Service provider reveals IP address, which leads to fugitive in Canada http://bit.ly/xzpMwh
Civil Subpoenas for Content • Big service providers tend to resist • Smaller service providers may be more cooperative • Crispin v. Christian Audigier, Inc. • Civil subpoena to FB and Myspace quashed • Content protected under Stored Communications Act • May be difference between private messages and wall postings
Alternative Locations for Evidence • Notices and copies to email or phone SMS (text) • Replication at other sites (my Facebook and LinkedIn repeat my tweets) • Sharing by friends • Cache on computer
General Principles for Investigators • Keep thorough, signed, time-stamped records • Record your justification • Keep the methods and evidence capture proportionate and within the scope of the justification • User consent (employment application or terms of employment) reduces risk • Be creative to find the data
Blog: benjaminwright.usGoogle Plus: gplus.to/privacy This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises you or your organization. Use this material at your own risk. Anyone may reuse or reproduce it.